PAM with LDAP and add an exception for local user

Question

I've successfully configured LDAP and SSH. Also I've added a requirement that user should be in a group called admin. That works.

/etc/ldap.conf

...
pam_groupdn cn=admin,ou=Groups,dc=example,dc=com
...

/etc/pam.d/sshd

...default ubuntu values here...
...
auth     required pam_ldap.so
account  required pam_ldap.so
password required pam_ldap.so
session  required pam_ldap.so

BUT I would like to add an exception for local backup user in emergency case when LDAP is not reachable. This user has sudo and authorized_keys. How can I achieve that?

Right now I can see only this error message:

sshd[12345]: fatal: Access denied for user backup by PAM account configuration [preauth]

score 1 · Accepted Answer · answered Nov 20 '15 at 11:03

1

Thanks for our German friends from https://forum.ubuntuusers.de/topic/pam-so-konfigurieren-dass-lokale-user-nicht-am/. The solution is:

# Allow local user or LDAP user from admin group
account sufficient pam_localuser.so
account required   pam_ldap.so

answered Nov 20 '15 at 11:03

kay

329
3
9

3

Can you be more specific? Which file should this be in? – Ev. Oct 27 '17 at 09:15
`sed -i '1iaccount sufficient pam_localuser.so' /etc/pam.d/login`. sed 1i as we need this in the first line – NicoKowe May 16 '20 at 12:49

PAM with LDAP and add an exception for local user

/etc/ldap.conf

/etc/pam.d/sshd

1 Answers1